WEBVTT

00:06.980 --> 00:11.450
As you're going through your different problems within your vulnerability aspect in your report, you'll

00:11.450 --> 00:17.120
be going, okay, I've got these little bit of problems or I've got these major problems I need to prioritize.

00:17.270 --> 00:20.600
And in most cases, you're probably going to have a list that's three miles wide.

00:20.600 --> 00:23.630
And thinking to yourself, how in the world am I actually going to be able to get through all these

00:23.630 --> 00:26.240
issues that are available on my network?

00:26.270 --> 00:29.720
Uh, on the other hand, maybe I'm completely wrong and you've only got 2 or 3.

00:29.750 --> 00:31.370
It's not going to be 2 or 3.

00:31.370 --> 00:36.500
It's probably going to be three miles wide of the different aspects or problems, flaws Misconfigurations

00:36.500 --> 00:39.050
vulnerabilities associated with your network environment.

00:39.080 --> 00:43.700
You need to be able to prioritize those, but a lot of times the priority is going to change from day

00:43.700 --> 00:47.300
to day, if not hour to hour, as new vulnerabilities erupt on your system.

00:47.480 --> 00:49.130
This poses a major problem.

00:49.130 --> 00:52.070
However, we need to develop what's called an action plan.

00:52.100 --> 00:56.990
An action plan identifies specific vulnerabilities to go through and figure out what needs to happen

00:56.990 --> 00:57.530
with those.

00:57.560 --> 01:02.000
Now, usually a vulnerability action actually plan isn't something that we're going through and saying,

01:02.000 --> 01:05.870
hey, this is a critical vulnerability that needs to be fixed right now, right?

01:05.870 --> 01:07.460
This instance, we need to fix that.

01:07.670 --> 01:11.300
Uh, more often than not, a vulnerability action plan is something where it's like, we've got all

01:11.300 --> 01:16.820
these vulnerabilities that are low to medium or even high, but they're not critical.

01:16.850 --> 01:20.120
How am I going to deal with those different vulnerabilities within my system?

01:20.120 --> 01:24.020
And we create this action plan to go, okay, here's the vulnerability.

01:24.050 --> 01:26.600
Here's what I need to address the vulnerability.

01:26.600 --> 01:32.630
This is what I need to do in order to preempt that vulnerability or that remediation action, that preemptive

01:32.630 --> 01:33.080
attack.

01:33.110 --> 01:35.180
Maybe I need to order some supplies.

01:35.180 --> 01:37.160
I need to order this piece of equipment.

01:37.160 --> 01:38.810
I need to do this patch.

01:38.810 --> 01:42.860
I need to write this script because we have all of our machines have these vulnerabilities.

01:42.860 --> 01:47.510
And honestly, going manually through them one by one will take years.

01:47.510 --> 01:50.450
But if I write a script, it's done in a couple of hours.

01:50.450 --> 01:52.460
So that's our vulnerability action plan.

01:52.460 --> 01:57.080
We literally are writing the vulnerability or the problem that we see, and then we're writing a plan

01:57.080 --> 01:59.880
of action to fix or to resolve that vulnerability.

01:59.910 --> 02:04.980
Whether it's ordering new equipment right now, or actually fixing on it or working on it on a later

02:04.980 --> 02:07.710
date, we're identifying what we need to happen.

02:07.980 --> 02:14.310
Senior stock analyst or senior analyst may go through and identify to a brand new employee or somebody

02:14.310 --> 02:17.910
that's not used to our system and go, okay, I've identified these vulnerabilities.

02:17.910 --> 02:19.200
Here's what the alarm is.

02:19.200 --> 02:21.210
Here's what the the problem is.

02:21.450 --> 02:23.970
Here's what I want you to do during the graveyard shift.

02:23.970 --> 02:29.490
That's not uncommon to see that type of action plan, whether when in a formal environment like you

02:29.490 --> 02:34.200
see here, or an informal environment where we're really just writing it on a piece of paper and saying,

02:34.200 --> 02:39.330
here's the alert number, here's the problem, this is what's happening so that they can learn what's

02:39.330 --> 02:39.870
going on.

02:39.870 --> 02:42.060
And here's the fix for it I need you to implement.

02:42.060 --> 02:45.270
That's a vulnerability action plan tied up into a nice little bow.

02:45.720 --> 02:49.740
Configuration management is part of that vulnerability action plan.

02:49.740 --> 02:53.550
More often than not where we have a configuration problem within our system.

02:53.550 --> 02:59.850
There was a specific company listed not too long ago that I'm trying to remain nameless, that had some

02:59.850 --> 03:03.180
use of default credentials across their routers.

03:03.180 --> 03:09.300
And because of those default credentials, we saw a vulnerability introduced where a third party, i.e.

03:09.330 --> 03:14.400
a malicious actor, was able to go into that router and then copy all the data that was moving through

03:14.430 --> 03:17.520
it and gain full access to different data points.

03:17.550 --> 03:19.260
This was a problem that was invalid.

03:19.260 --> 03:20.340
Configuration.

03:20.370 --> 03:24.900
Part of configuration management is to identify the misconfiguration or the configuration problem in

03:24.900 --> 03:25.710
the first place.

03:25.710 --> 03:28.950
We need to identify that that problem and then correct it.

03:28.950 --> 03:32.760
But before we just go in there and start correcting things, we need to back up the system.

03:32.790 --> 03:37.320
Now we're not usually talking about a firewall or well, yeah, we are actually with a firewall, but

03:37.320 --> 03:38.310
more like a router.

03:38.310 --> 03:42.570
We're not really talking about those, but maybe something that has a long list of commands.

03:42.570 --> 03:45.870
We can save that configuration or back it up.

03:45.870 --> 03:50.160
That way if we do something to screw something up, we can go back through and restore it and start

03:50.160 --> 03:50.760
again.

03:50.760 --> 03:55.590
It's not uncommon when we're working with something that's in production, i.e. a piece of equipment

03:55.590 --> 03:58.710
that we're going to change the configuration, that we back it up first.

03:58.710 --> 04:00.810
That's the standard policy for most companies.

04:00.810 --> 04:02.130
And there's a reason for that.

04:02.130 --> 04:07.170
If I go in and start messing with that configuration file, yes, it should take place and it should

04:07.170 --> 04:08.040
work properly.

04:08.040 --> 04:11.190
But technology rarely does exactly what we want to do.

04:11.190 --> 04:15.660
And so standard operating procedure is to back up everything before we start messing with it.

04:15.660 --> 04:21.480
So if I go into a firewall per se, I can configure or back up that configuration file onto a USB or

04:21.480 --> 04:23.160
on to a different file on my laptop.

04:23.160 --> 04:28.740
I then mess around with it, and then I implement the configuration changes that I want, and then upload

04:28.770 --> 04:33.630
them all at once while saving the original backup file for restoration if it doesn't take the way it's

04:33.630 --> 04:34.230
supposed to.

04:34.260 --> 04:37.020
This is basic principles of configuration backup.

04:37.020 --> 04:39.330
We also need, however accounting control.

04:39.360 --> 04:43.320
Now most people when they think of accounting control they're thinking, oh, I need to identify different

04:43.320 --> 04:43.920
numbers.

04:43.920 --> 04:47.250
Or, you know, I need to identify the finances.

04:47.250 --> 04:48.660
That's not what we're talking about here.

04:48.660 --> 04:51.600
We're talking about accounting, control of who did what and when.

04:51.600 --> 04:57.190
If I go into a router or a firewall and I make a change into that configuration file, I need to be

04:57.190 --> 04:58.390
able to annotate my name.

04:58.390 --> 05:03.910
I should have an ID associated with any changes that I committed against that piece of equipment, or

05:03.910 --> 05:06.100
maybe in the notes section or somewhere else.

05:06.100 --> 05:08.650
And we need to keep a count of those different files.

05:08.980 --> 05:14.380
I know within a company I worked for, when we made any changes to the configuration file, specifically

05:14.380 --> 05:18.520
within telecommunications, we would go through and we would make up backfile files.

05:18.520 --> 05:20.410
We would change the configuration.

05:20.410 --> 05:24.460
We would then save the new configuration, which we made sure that it worked as a different file name.

05:24.460 --> 05:28.720
So not only do we have the original, but we had the newly created backup, and then we would leave

05:28.720 --> 05:31.690
that USB attached to the equipment via a string.

05:31.720 --> 05:34.780
Now that string was usually about five feet long so you can maneuver it.

05:34.810 --> 05:38.860
It wasn't in the way, and it would just hang off the server rack without any problems whatsoever.

05:38.860 --> 05:40.360
But we had accounting control.

05:40.360 --> 05:45.610
We would also go into the cloud environment and upload that new configuration into the cloud, so that

05:45.610 --> 05:50.740
if that USB became lost or it got disconnected or somebody didn't have access to it, or maybe they

05:50.740 --> 05:55.580
used it on a new piece of equipment that was literally doing the same thing as this piece of equipment.

05:55.580 --> 05:58.550
They could just upload that configuration file and save some time.

05:58.550 --> 06:01.910
But we kept that and we made the accountability of it.

06:01.910 --> 06:02.900
Annotating.

06:02.900 --> 06:08.270
This was the person, the technician, the person with the technical knowledge that changed this latest

06:08.270 --> 06:08.840
file.

06:08.840 --> 06:12.500
That way if something went wrong, it wasn't to blame them, it was to correct them.

06:12.500 --> 06:15.230
This goes into that culture aspect that we talked about earlier.

06:15.260 --> 06:18.980
Very rarely do we want to blame somebody for the flaws or the problems that they did.

06:19.010 --> 06:21.080
Now, I'm not saying don't tell them they made a mistake.

06:21.110 --> 06:22.190
That's not what I'm saying.

06:22.190 --> 06:25.670
But what I am saying is we're not going to shame people into making it to where they don't want to work

06:25.670 --> 06:26.330
there anymore.

06:26.330 --> 06:29.990
Security experts, especially technology experts, are hard to come by.

06:30.020 --> 06:35.240
Building them up and training them is a valuable part of any type of enterprise environment, and having

06:35.240 --> 06:41.060
that good culture of repair and recognition and that, yeah, you made a mistake, but this is how we

06:41.060 --> 06:41.570
fix it.

06:41.570 --> 06:42.680
Let's do this in the future.

06:42.680 --> 06:44.390
That's part of our everyday job.

06:44.390 --> 06:46.550
You can't expect everybody to be perfect.

06:46.580 --> 06:49.700
And you're going to hear me harp on this as we go through these different slides.

06:50.360 --> 06:52.670
The other thing that we need to understand is patching.

06:52.700 --> 06:58.900
Patching comes into play when a piece of software or a configuration or whatever needs to be updated

06:58.900 --> 06:59.980
to the latest edition.

06:59.980 --> 07:05.110
We talked about patching and the different aspects of patching earlier in this course, but just as

07:05.110 --> 07:08.980
a reminder, we need to test the patching software first, then we need to implement it.

07:09.010 --> 07:14.380
We need to have a backup plan, and then we need to be able to actually go through and uh, implement

07:14.380 --> 07:19.030
those patches and then retest to make sure that it worked out properly on a production server.

07:19.060 --> 07:21.610
That's the natural life cycle of a patching.

07:21.640 --> 07:26.710
And we're going to continue that process as we go through in our vulnerability management plan.

07:26.860 --> 07:32.830
We spoke about compensating controls earlier in this course, but just as a refresher, when it comes

07:32.830 --> 07:38.560
to configuration management and compensating controls, I may have a configuration that's vendor specific.

07:38.560 --> 07:42.790
And they suggest we do it this way specific way for a reason.

07:42.790 --> 07:48.880
However, sometimes we have a piece of equipment that needs to be configured against the vendor specifications

07:48.880 --> 07:50.950
in order to function in our enterprise environment.

07:50.950 --> 07:57.310
This could be because we have an unusual network architecture or an older system that doesn't like the

07:57.310 --> 07:58.990
way that the vendor has it doing.

07:59.170 --> 08:02.470
It could be it introduces a vulnerability because of the way it interacts.

08:02.470 --> 08:07.600
There could be a plethora of reasons to why we configure something the way we do in order in our enterprise

08:07.600 --> 08:09.220
environment to get it to work.

08:09.250 --> 08:13.960
And so sometimes we need to provide compensating controls to reassure that security that we would have

08:13.960 --> 08:17.200
had if we went into the first place, how the vendor wanted us to do it.

08:17.200 --> 08:22.210
This is where compensating controls come into play in configuration, when we're talking about different

08:22.210 --> 08:27.250
vulnerabilities or older equipment or legacy equipment, as it's interacting with our different aspects

08:27.250 --> 08:28.090
of our network.

08:29.290 --> 08:32.470
Finally, we need to do awareness education training, right?

08:32.500 --> 08:37.570
We've talked about awareness education and training before throughout this course, but I want to reemphasize

08:37.570 --> 08:38.110
this.

08:38.140 --> 08:43.600
Uh, training, awareness and education is more than just our, uh, low hanging fruit, right?

08:43.630 --> 08:45.550
Our different employees, that may not be in it.

08:45.700 --> 08:50.260
We need to understand that our IT department, as well as our cybersecurity department, needs to be

08:50.260 --> 08:54.830
kept up to date with the latest trainings, the latest of education when it comes into our enterprise

08:54.830 --> 08:55.460
environment.

08:55.460 --> 09:00.290
This is because you may have somebody that's been doing cybersecurity so long that they come in with

09:00.290 --> 09:02.240
this mindset that they know everything.

09:02.240 --> 09:03.650
I've been doing this for 20 years.

09:03.650 --> 09:05.960
I don't need somebody coming in and telling me how to redo it.

09:05.990 --> 09:07.430
Technology changes.

09:07.430 --> 09:12.380
Different ways that we implement different technologies, changes the way we implement older technology

09:12.380 --> 09:12.980
changes.

09:12.980 --> 09:18.320
And so making your employees go through training to understand those changes is imperative, especially

09:18.320 --> 09:21.740
in an environment where technology is constantly changing.

09:21.950 --> 09:26.150
Anytime you've got somebody that says, I've been doing this for so long and I don't need training,

09:26.150 --> 09:27.470
it's time for them to go.

09:27.500 --> 09:31.490
I mean, I hate to be that kind of guy, but if you can't keep up to date with the newest technology,

09:31.490 --> 09:34.250
you're really of no use to the company as a whole.

09:34.250 --> 09:41.720
And since technology changes so often, having this mindset is just it's just toxic to the entire environment.

09:41.930 --> 09:46.190
So getting them into training, making them understand the need for training, that's imperative.

09:46.220 --> 09:48.170
Now that's our IT and cyber teams.

09:48.170 --> 09:50.450
But what about the rest of our enterprise environment.

09:50.480 --> 09:55.370
What about the janitors, the help desk employees, the managers, the directors, even the C-suite?

09:55.490 --> 09:58.880
Believe it or not, C-suite is probably the worst one to get them to take training because they don't

09:58.880 --> 10:01.070
feel like they need to know it because they're so busy.

10:01.100 --> 10:05.120
It's not that they don't appreciate the training, it's just they have a lot on their plate, and then

10:05.120 --> 10:07.700
they have the authority to get away with not doing the training.

10:07.700 --> 10:09.290
And this often poses some issues.

10:09.290 --> 10:11.960
So we need to impress upon them the need for that training.

10:11.960 --> 10:15.620
So they're going through and understanding the different capabilities that could happen.

10:15.890 --> 10:20.960
You can do this in a variety of ways, but let's get back to the majority of what's going on with the

10:20.960 --> 10:22.970
training and awareness for our average employee.

10:23.000 --> 10:27.710
We want to do formal training, i.e. you attend a class, we want to do informal training that could

10:27.710 --> 10:30.680
be showing up at a desk where somebody had an impromptu problem.

10:30.680 --> 10:35.750
Maybe they clicked on a phishing link and then just explaining to them what they did wrong as a cybersecurity

10:35.780 --> 10:39.950
specialist, and then how to correct it in the future without placing blame.

10:39.950 --> 10:45.200
And then the third type is those reoccurring trainings where we hang posters or we do different methodologies,

10:45.200 --> 10:49.040
or even an email that says, don't forget, we don't click on phishing links.

10:49.040 --> 10:50.240
that kind of training.

10:50.240 --> 10:54.770
So we really need to utilize that training measures throughout our enterprise environment as often as

10:54.770 --> 10:55.700
possible.

10:56.000 --> 10:57.110
Getting formal training.

10:57.110 --> 10:59.900
You're probably not going to get away with that more than once or twice a year.

10:59.900 --> 11:01.940
But informal training we do any time.

11:01.940 --> 11:05.480
And those little reminders, we can do those as much as twice a week.

11:05.600 --> 11:09.260
I really encourage you not to do twice a week.

11:09.260 --> 11:13.130
We really kind of want to stick around to the every other week whenever possible, because then the

11:13.130 --> 11:16.280
emails start to get ignored and then it doesn't do anything for us.

11:17.390 --> 11:22.370
We need to look at the changing business requirements as we move through in cybersecurity.

11:22.430 --> 11:25.790
Again, going back to that same knowledge of, oh, I've been doing this for 20 years.

11:25.790 --> 11:30.230
I don't need to do this same thing to that same part of I don't like change.

11:30.230 --> 11:35.090
The problem is, is that business changes very regularly, almost as often as technology changes.

11:35.090 --> 11:39.500
You have companies that go through and they can sell needles, or they can sell bolts or they can sell

11:39.500 --> 11:40.130
whatever.

11:40.130 --> 11:44.690
But the overarching process changes as technology increases.

11:44.690 --> 11:47.420
We can automate a lot of different things as it comes through.

11:47.420 --> 11:52.260
And those changing business requirements could come into play as changing business requirements comes

11:52.260 --> 11:55.020
into play for technology, especially cyber security.

11:55.050 --> 11:59.700
We need to be able to incorporate those different changes within our in our enterprise environment.

11:59.700 --> 12:04.170
If something changes, we need to resist the challenge to say, no, no, we can't do that.

12:04.290 --> 12:09.480
You got to remember that cybersecurity is there to help companies be secure as they make money.

12:09.480 --> 12:13.830
As soon as you become a roadblock for that enterprise environment from making money, then you then

12:13.830 --> 12:15.630
are the problem, not the solution.

12:15.630 --> 12:21.540
And since cyber security doesn't actually make money in a business organization, we need to perpetuate

12:21.540 --> 12:26.460
this idea that we're there to help, even though we're there to help it make it secure.

12:26.460 --> 12:28.740
And so with that mindset is changing.

12:28.740 --> 12:30.480
Business requirements come into play.

12:30.510 --> 12:37.020
We need to adapt to those changing business requirements, either with technology changes, policy changes

12:37.020 --> 12:41.640
or whatever changes are stipulated to ensure that not only are we doing those changes the way the business

12:41.670 --> 12:45.480
wants to do it, we're also doing it in a safe and secure manner.

12:45.480 --> 12:47.310
And that's where we come into play.